The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I don't think cPHulk is working right (with ssh)

Discussion in 'Security' started by Spork Schivago, Jan 23, 2016.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    265
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Hello,

    Every day, in the morning, my server seems to get attacked. It's some sort of brute-force attack. My log is just flooded with stuff like this:

    Code:
    2:12 jetbbs sshd[27380]: input_userauth_request: invalid user nagios
    Jan 23 10:12:12 jetbbs sshd[27380]: Received disconnect from 104.208.39.227: 11: Bye Bye
    Jan 23 10:12:13 jetbbs sshd[27381]: Invalid user git from 104.208.39.227
    Jan 23 10:12:13 jetbbs sshd[27382]: input_userauth_request: invalid user git
    Jan 23 10:12:13 jetbbs sshd[27382]: Received disconnect from 104.208.39.227: 11: Bye Bye
    Jan 23 10:12:14 jetbbs sshd[27383]: Invalid user vagrant from 104.208.39.227
    Jan 23 10:12:14 jetbbs sshd[27384]: input_userauth_request: invalid user vagrant
    Jan 23 10:12:14 jetbbs sshd[27384]: Received disconnect from 104.208.39.227: 11: Bye Bye
    Jan 23 10:12:14 jetbbs sshd[27385]: Invalid user oracle from 104.208.39.227
    Jan 23 10:12:14 jetbbs sshd[27386]: input_userauth_request: invalid user oracle
    Jan 23 10:12:14 jetbbs sshd[27386]: Received disconnect from 104.208.39.227: 11: Bye Bye
    Jan 23 10:12:15 jetbbs sshd[27388]: Received disconnect from 104.208.39.227: 11: Bye Bye
    Jan 23 10:12:15 jetbbs sshd[27389]: Invalid user oracle from 104.208.39.227
    Jan 23 10:12:15 jetbbs sshd[27390]: input_userauth_request: invalid user oracle
    Jan 23 10:12:15 jetbbs sshd[27390]: Received disconnect from 104.208.39.227: 11: Bye Bye
    Jan 23 10:12:16 jetbbs sshd[27391]: Invalid user git from 104.208.39.227
    Jan 23 10:12:16 jetbbs sshd[27392]: input_userauth_request: invalid user git
    Jan 23 10:12:16 jetbbs sshd[27392]: Received disconnect from 104.208.39.227: 11: Bye Bye
    Jan 23 10:12:17 jetbbs sshd[27393]: Invalid user vagrant from 104.208.39.227
    Jan 23 10:12:17 jetbbs sshd[27394]: input_userauth_request: invalid user vagrant
    Jan 23 10:12:17 jetbbs sshd[27394]: Received disconnect from 104.208.39.227: 11: Bye Bye
    Jan 23 10:12:17 jetbbs sshd[27395]: Invalid user nagios from 104.208.39.227
    Jan 23 10:12:17 jetbbs sshd[27396]: input_userauth_request: invalid user nagios
    Jan 23 10:12:17 jetbbs sshd[27396]: Received disconnect from 104.208.39.227: 11: Bye Bye
    
    The IP address changes a little each day. Maybe by one number or so. Anyway, I have cPHulk installed and configured, correctly, I think, but for some reason, it doesn't seem to be detecting the ssh connections. I have password auth disabled and only key authentication enabled.

    Is there away for me to get my system to automatically block these IP addresses after, lets say, 5 failed login attempts? I'd like to block them indefinitely. Thanks!
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    265
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Thank you Infopro. I've read that article. Unfortunately though, it doesn't tell me how to auto-block failed login attempts. Granted, hardening sshd is a great idea and I'm already using key authentication and have password authentication disabled. I can change the port, which wouldn't be a bad idea, and allow only my main user to be allowed to login.

    Here's the thing though. There's definitely someone trying to get in. I have over 12,000 lines in my /var/log/secure file, mostly failed login attempts. Even if they cannot get in via ssh, who's to say they don't find some remote exploit later in the future? Or, maybe they have one already and just haven't gotten around to running it, you know, trying various things, in order, trying to get in? I'd like to just have the failed logins get the IP addressed banned so they can't even see my domain / server.

    I'm familiar with programs like fail2ban. But I thought cPHulk was supposed to handle all of this for me, so I didn't need another program, like fail2ban. Thanks!
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    ConfigServer Firewall can be of great use.
    Changing SSH port is very important to quiet this sort of thing.

    Searching google for just one snip of your log yields quite a lot of results:
    input_userauth_request: invalid user nagios
    Here's one of them:
    Invalid users trying to log in to my server
     
    Spork Schivago likes this.
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    265
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Thanks Infopro. I knew it was some sort of script that was running, just by how quickly and how many times they were attempting to log in. Roughly 3 usernames per second or so. I think I might have to ban a whole network class? Every day, it seems to be getting worse but the IPs change, just enough.

    So, what's this ConfigServer Firewall? Is that part of cPanel / WHM? Or is that a third party program? I'm just curious as to what cPHulk is actually for if it can't successfully identify these types of attacks. I mean, it does recognize brute-force type attacks on my mail server, but that's about it. Thanks!
     
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    265
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    I've been reading up ConfigServer. If I have to install a third-party program, I'll probably go for something like that. I wish there was some cPanel / WHM plugin, like there is for cPHulk, so I could see everything graphically.

    I only have 1GB of RAM. Do you know how memory intensive this ConfigServer Firewall is? I know when I installed clamd or whatever the anti-virus program is called, it just about ate up all the memory I had and I had to uninstall it. Thanks.
     
  7. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    265
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    I've decided to check out ConfigServer Firewall and I do have to say, this is an amazing piece of hardware! Unfortunately, during the installation process, I got a warning that a few options would be disabled because of some missing iptables modules (ipt_REDIRECT and ipt_DNAT). ipt_REDIRECT is a very handy module for writing iptable redirect rules and I can't really understand why GoDaddy doesn't have it enabled for my virtual server. I got off the phone with tech support for the hosting and unfortunately, it was a very disappointing conversation. For some reason, the tech support person kept on thinking I just didn't know how to use iptables. He kept on saying that it's my responsibility to learn how to setup iptables. I could pay around 160$ and have them setup the iptable rules. He also said the guy who sold me the vps should of went over stuff like this and asked if I've ever ran a server before, before allowing me to get one.

    I kept trying to tell him that the problem wasn't me not knowing how to setup iptables rules or anything. I just needed a module added to /etc/sysconfig/iptables-config and /etc/sysconfig/vz at the hardware / parent node, outside of the virtual environment. He just kept saying that iptables was there and I could just google how to set it up. I felt that he didn't understand my issue and whenever I tried explaining it to him, he felt that he knew what the problem was and wasn't listening.

    I'm not sure what features would be disabled because of these missing modules but I have a feeling the ConfigServer Firewall will still be able to do everything that I need it to do. Thank you so much for pointing me towards this piece of software.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I've seen past discussions where a VPS provider implemented a policy that disallowed the use of these modules. I suggest following up with their support team to receive an official answer.

    Thank you.
     
  9. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    265
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Thanks for the reply cPanelMichael. However, I no longer need cPHulk to work properly. I'm now using a cPanel add-on suite called ConfigServer Firewall. I do have to say, it's very nice. I'm glad there's a cPanel plugin. It'd be real nice if it came with cPanel automatically. I honestly can't see where it'd hurt anything. cPanel could have an option where it's disabled until the administrator of the server enables it. Anyway, thanks for the help!
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I am happy to see that CSF is working well for you. It's a third-party application so it's not a utility that we would include by default per the comments in this feature request:

    Integrate ConfigServer Security & Firewall (CSF/LFD) & Remove cPHulk

    Thank you.
     
  11. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    265
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Thanks again cPanelMichael. From reading the comments that you linked me to, I have a question about Travis Ellis's statement:
    Code:
    We have no plan of removing cPHulk. It is vital for the authentication system.
    
    The question is about the cPHulk being vital for the authentication system. Does this mean if I have ConfigServer Firewall installed, I should keep cPHulk enabled? From all the reading I've done, CSF, when properly configured, seems to be able to replace cPHulk. Would there be any downfalls from disabling cPHulk and using just CSF? Or is it one of those things where if I don't have something like CSF, cPHulk is vital, and if I have CSF, I can safely disable cPHulk? Thanks!
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's acceptable to disable cPHulk without affecting authentication services.

    Thank you.
     
  13. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    265
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
Loading...

Share This Page